Before conducting a formal risk assessment of an organization’s information resources, an
information security manager should FIRST:
A.
map the major threats to business objectives.
B.
review available sources of risk information.
C.
identify the value of the critical assets.
D.
determine the financial impact if threats materialize.
Explanation:
Risk mapping or a macro assessment of the major threats to the organization is a simple first step
before performing a risk assessment. Compiling all available sources of risk information is part of
the risk assessment. Choices C and D are also components of the risk assessment process,which are performed subsequent to the threats-business mapping.
The correct answer here is actually C.
Asset valuation is always the first step in risk assessment. ALWAYS!
Thanks! Was my choice too!
me too. i wasted too many minutes on this one.
correct answer is A. Without a threat profile linked to an organizations goals there is no risk to that organization. By the way in the CISM review manual (Ed 14) – pg 104. It clearly indicates the first step in performing the Risk Assessment is Asset Valuation. This questions references the step BEFORE the risk assessment.